Uploaded image for project: 'Lucee Development'
  1. LDEV-348

Invalid Cookie name causes stacktrace and can bring down lucee/tomcat

    Details

    • Type: Bug
    • Status: Deployed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 4.5.1.015
    • Fix Version/s: 4.5.1.016, 5.0.0.50
    • Labels:
      None
    • Environment:

      Description

      We recently had a server become unresponsive over night, looking at the logs we've found some invalid cookies being sent which appear to be the cause

      A request with an invalid cookie throws an uncaught IllegalArgumentException from the servlet container, followed by IllegalMonitorStateExceptions which cause either tomcat or lucee to become unresponsive.

      the cookie in question looks to be intentionally malicious, and the request can be easily reproduced using curl

      curl -v --cookie 'Greetz to M, st0n3d, Jorgee, CoLdZeRo, and Tomato lol!=0' http://example.com

        Attachments

          Activity

            People

            • Assignee:
              michaeloffner Michael Offner
              Reporter:
              chrisblackwell Chris Blackwell
            • Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: